Reason why devices on two private networks cannot communicate after IPSec is configured on the AR

6

Devices on two private networks fail to communicate with each other after IPSec is configured. The possible causes are as follows:
-The public addresses of two IPSec-enabled devices cannot be pinged.
-There is an error in the data flow to be encapsulated with the IPSec header or both IPSec and NAT are performed for the same data flow. You can run the display acl all command to check ACL matching. If both IPSec and NAT are performed for the same data flow, use either of the following method to prevent data flow overlapping:
-Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec.
-The ACL rule referenced by IPSec matches the NAT-translated IP address.
-The AR incorrectly learns private routes. The outbound interface of the route to the destination private network is not the public network interface with enabled IPSec.

Other related questions:
ARs configured with IPSec on two private networks cannot communicate with each other
The possible causes are as follows: 1. The public addresses of two IPSec-enabled ARs cannot be pinged. 2. There is an error in the data flow to be encapsulated with the IPSec header or both IPSec and NAT are performed for the same data flow. You can run the display acl all command to check ACL matching. If both IPSec and NAT are performed for the same data flow, use either of the following method to prevent data flow overlapping: -Ensure that the destination IP address denied in the ACL rule referenced by NAT is the destination IP address in the ACL rule referenced by IPSec. By doing so, the device does not perform NAT on the data flow protected by IPSec. -The ACL rule referenced by IPSec matches the NAT-translated IP address. 3. The AR incorrectly learns private routes. The outbound interface of the route to the destination private network is not the public network interface enabled with IPSec.

Why the private networks cannot communicate after the L2TP dialup is successful
When the L2TP dialup is successful, private networks may fail to communicate due to the following causes: -The firewall is enabled on the internal host. -The local subnet and the remote intranet are on the same network segment. -The L2TP dialup address is on the same network segment as the LAN user, but the proxy ARP function is disabled. -The MTU value on the virtual interface is improper. The MTU value plus all the header lengths cannot exceed interface MTU. Otherwise, the packets will be discarded if the device does not support packet fragmentation. -The TCP MSS value on the virtual interface is improper. Ensure that the MSS value plus all the header lengths cannot exceed the MTU. Otherwise the transmission of packets might be affected. -LCP renegotiation is not configured. -The LAC and LNS have no reachable routes to each other. -The tunnel authentication is not configured. -When IPSec encryption is used, the data flow does not match the ACL.

Private network communication fails after IPSec is configured. What are the causes
Private networks fail to communicate with each other after IPSec is configured. The possible causes are as follows: -The public addresses of two IPSec-enabled devices cannot ping each other. -The data flow defined for IPSec encapsulation is the same as that defined for NAT. You can run the display acl all command to view the matching ACL rule. In this case, use either of the following methods to prevent the data flow overlapping: Ensure that the destination IP address in the ACL rule referenced by IPSec is denied in the ACL rule referenced by NAT. By doing so, the device does not perform NAT on the data flow protected by IPSec. The ACL rule referenced by IPSec matches NAT-translated IP address. -The device incorrectly learns private routes. The outbound interface to the destination private network is not the public network interface with IPSec enabled.

How can the TE30 on a private network communicate with a terminal on another private network?
To enable two TE30s on two private networks to communicate, their IP addresses must be mapped to the same IP address on a public network through NAT. For details, see chapter 4 Endpoints on Different Private Networks in the HUAWEI TE30&TE40&TE50&TE60&TX50 Videoconferencing Endpoint Configuration Examples.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top